2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe

General
Target

2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe

Filesize

572KB

Completed

07-04-2021 13:11

Score
10/10
MD5

c882de666f59cdeff7c0f5611d18fa3f

SHA1

2cd4c99affc6aaeae73c0899a77b18d66c9ff2fb

SHA256

2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe

Malware Config

Extracted

Family emotet
Botnet Epoch2
C2

212.186.191.177:80

91.242.138.5:80

173.13.135.102:80

59.110.18.236:443

45.56.88.91:443

51.68.220.244:8080

206.81.10.215:8080

80.11.163.139:21

182.176.132.213:8090

165.227.156.155:443

118.201.230.249:80

138.201.140.110:8080

46.105.131.87:80

87.106.139.101:8080

24.45.193.161:7080

209.97.168.52:8080

190.12.119.180:443

190.147.215.53:22

191.92.209.110:7080

91.205.215.66:8080

190.211.207.11:443

186.75.241.230:80

173.212.203.26:8080

67.225.179.64:8080

31.12.67.62:7080

128.65.154.183:443

189.209.217.49:80

107.2.2.28:80

167.99.105.223:7080

12.229.155.122:80

104.236.246.93:8080

178.209.71.63:8080

212.129.24.79:8080

95.128.43.213:8080

178.210.51.222:8080

5.88.182.250:80

91.231.166.126:8080

176.31.200.130:8080

192.81.213.192:8080

103.39.131.88:80

164.68.101.171:80

201.184.105.242:443

213.179.105.214:8080

149.202.153.252:8080

47.50.251.130:80

93.147.141.5:80

37.157.194.134:443

181.57.193.14:80

45.33.49.124:443

192.241.255.77:8080

rsa_pubkey.plain
Signatures 9

Filter: none

Discovery
  • Emotet

    Description

    Emotet is a trojan that is primarily spread through spam emails.

  • Drops file in System32 directory
    wraphant.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.datwraphant.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Modifies data under HKEY_USERS
    wraphant.exe

    Reported IOCs

    descriptioniocprocess
    Set value (data)\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\WpadDecisionTime = 50cc57fcaf2bd701wraphant.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connectionswraphant.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"wraphant.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settingswraphant.exe
    Set value (data)\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a07004f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000wraphant.exe
    Set value (int)\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecision = "0"wraphant.exe
    Set value (data)\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a07004f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000wraphant.exe
    Key created\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settingswraphant.exe
    Set value (int)\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"wraphant.exe
    Key created\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77wraphant.exe
    Key created\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\32-e2-17-db-d2-77wraphant.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\WpadNetworkName = "Network"wraphant.exe
    Set value (int)\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionReason = "1"wraphant.exe
    Set value (data)\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = 10d741c0af2bd701wraphant.exe
    Set value (data)\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000wraphant.exe
    Set value (data)\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000wraphant.exe
    Key created\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}wraphant.exe
    Set value (int)\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\WpadDecision = "0"wraphant.exe
    Set value (data)\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\WpadDecisionTime = 10d741c0af2bd701wraphant.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDetectedUrlwraphant.exe
    Set value (data)\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = 50cc57fcaf2bd701wraphant.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefixwraphant.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"wraphant.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpadwraphant.exe
    Set value (int)\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\WpadDecisionReason = "1"wraphant.exe
  • Suspicious behavior: EmotetMutantsSpam
    2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exewraphant.exe

    Reported IOCs

    pidprocess
    18882db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe
    876wraphant.exe
  • Suspicious behavior: EnumeratesProcesses
    wraphant.exe

    Reported IOCs

    pidprocess
    876wraphant.exe
    876wraphant.exe
    876wraphant.exe
    876wraphant.exe
  • Suspicious behavior: RenamesItself
    2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe

    Reported IOCs

    pidprocess
    18882db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe
  • Suspicious use of SetWindowsHookEx
    2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exewraphant.exewraphant.exe

    Reported IOCs

    pidprocess
    17242db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe
    18882db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe
    1064wraphant.exe
    876wraphant.exe
  • Suspicious use of WriteProcessMemory
    2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exewraphant.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1724 wrote to memory of 188817242db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe
    PID 1724 wrote to memory of 188817242db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe
    PID 1724 wrote to memory of 188817242db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe
    PID 1724 wrote to memory of 188817242db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe
    PID 1064 wrote to memory of 8761064wraphant.exewraphant.exe
    PID 1064 wrote to memory of 8761064wraphant.exewraphant.exe
    PID 1064 wrote to memory of 8761064wraphant.exewraphant.exe
    PID 1064 wrote to memory of 8761064wraphant.exewraphant.exe
Processes 4
  • C:\Users\Admin\AppData\Local\Temp\2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe
    "C:\Users\Admin\AppData\Local\Temp\2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe"
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Users\Admin\AppData\Local\Temp\2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe
      --ca061b2d
      Suspicious behavior: EmotetMutantsSpam
      Suspicious behavior: RenamesItself
      Suspicious use of SetWindowsHookEx
      PID:1888
  • C:\Windows\SysWOW64\wraphant.exe
    "C:\Windows\SysWOW64\wraphant.exe"
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:1064
    • C:\Windows\SysWOW64\wraphant.exe
      --6e93b09b
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EmotetMutantsSpam
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:876
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • memory/876-12-0x0000000000000000-mapping.dmp

                        • memory/876-14-0x00000000004A0000-0x00000000004B7000-memory.dmp

                        • memory/876-15-0x0000000000400000-0x0000000000493000-memory.dmp

                        • memory/1064-11-0x0000000000B30000-0x0000000000B47000-memory.dmp

                        • memory/1724-6-0x0000000000220000-0x0000000000231000-memory.dmp

                        • memory/1724-2-0x00000000761E1000-0x00000000761E3000-memory.dmp

                        • memory/1724-3-0x0000000000260000-0x0000000000277000-memory.dmp

                        • memory/1888-8-0x0000000000400000-0x0000000000493000-memory.dmp

                        • memory/1888-4-0x0000000000000000-mapping.dmp